On Nov 4, 2020, at 5:09 AM, Daniel Gustafsson <dan...@yesql.se> wrote:
> (sorry for slow response). You are absolutely right, the has_password flag > must be tracked per connection in PGconn. The attached v17 implements this as > well a frontend bugfix which caused dropped connections and some smaller > fixups > to make strings more translateable. Some initial notes from building and testing on macOS Mojave. I'm working with both a brew-packaged NSS/NSPR (which includes basic nss-/nspr-config) and a hand-built NSS/NSPR (which does not). 1. In configure.ac: > + LDFLAGS="$LDFLAGS $NSS_LIBS $NSPR_LIBS" > + CFLAGS="$CFLAGS $NSS_CFLAGS $NSPR_CFLAGS" > + > + AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' > is required for NSS])]) Looks like SSL_VersionRangeSet is part of libssl3, not libnss3. So this fails with the hand-built stack, where there is no nss-config to populate LDFLAGS. I changed the function to NSS_InitContext and that seems to work nicely. 2. Among the things to eventually think about when it comes to configuring, it looks like some platforms [1] install the headers under <nspr4/...> and <nss3/...> instead of <nspr/...> and <nss/...>. It's unfortunate that the NSS maintainers never chose an official installation layout. 3. I need two more `#define NO_NSPR_10_SUPPORT` guards added in both src/include/common/pg_nss.h src/port/pg_strong_random.c before the tree will compile for me. Both of those files include NSS headers. 4. be_tls_init() refuses to run correctly for me; I end up getting an NSPR assertion that looks like sslMutex_Init not implemented for multi-process applications ! With assertions disabled, this ends up showing a somewhat unhelpful FATAL: unable to set up TLS connection cache: security library failure. (SEC_ERROR_LIBRARY_FAILURE) It looks like cross-process locking isn't actually enabled on macOS, which is a long-standing bug in NSPR [2, 3]. So calls to SSL_ConfigMPServerSIDCache() error out. --Jacob [1] https://github.com/erthink/ReOpenLDAP/issues/112 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=538680 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1192500